Security and single sign-on are main aspects of Web application development. App Manager is capable of providing a security layer which handles single sign-on, on top of all the Web applications registered within. The flow of the single sign-on is depicted in the diagram below.

Securing with SAML2 SSO is handled according to the following sequence of events.

Once a request comes to the application gateway, it checks for an authenticated cookie. If the cookie is found in the request, request is sent to the actual Web application URL. If not, request will be redirected to a login page, where user has to provide credentials.

If authentication is successful IDP redirects the user back to the gateway URL with SAML response. At the gateway URL, SAML response is validated and Web application can be accessed by the user. Application gateway uses a JWT to send logged in user details to the actual Web application.

Add the Web application as a service provider in service provider configurations in IDP. For more information on configuring a SAML2 service provider in WSO2 Identity Server, go to Adding a Service Provider.

When setting up a service provider;

Web application name should be provided as the issuer in the service provider configuration.

Assertion consumer URL should be gateway URL of the Web application.

Once above setup is done, subscribed users can access the Web application in SSO mode. In SSO mode, you only needs authentication done once. If you access another subscribed application from the same browser, you will be logged in to the second application automatically.

Enabling JWT generation

App Manager uses JWT as the medium to send user details to the Web application. All the claims which are returned from IDP together with the user name will be included in the JWT.

In order to enable JWT generation, uncomment the EnableTokenGeneration element and change the value to true in the <PRODUCT_HOME>/repository/conf/app-manager.xml file as follows:

Now SSO is configured properly and user details are sent to the Web application through a JWT. JWT token is BASE64 encoded and this needs to be decoded before using at the Web application. A sample decoded JWT is shown below.

Sending SAML response to backend

In addition to sending JWT token to backend, App Manager can be configured to send the whole SAML response which generated by IdP as a transport header to the backend Web application. This is useful if the backend Web application is already aware of handling SAML responses or it can be decoded and get the authenticated user details.

In order to send SAML response to backend Web application, uncomment the AddSAMLResponseHeaderToOutMessage element and change the value to true in the <PRODUCT_HOME>/repository/conf/app-manager.xml file as follows: